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DETAILED ACTION 

Claim Rejections - 35 USC §102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 2 1 (2) of such treaty in the English language. 

2. Claims 1, 2, 4, and 5 are rejected under 35 U.S.C 102(e) as being anticipated by Walker 
et al. (US 2002/0163920 AI), hereinafter referred to as Walker. 

Regarding claim 1, Walker discloses a method and apparatus for providing network 
security, which comprises: 

Receiving a packet (Referring to Figure 1 , packets for routing are received. See 
paragraph 0039;) 

Classifying the packet as having a security group designation selected from a plurality of 
security group designations, the security group designation associating a set of destinations and 
a set of sources authorized to access the set of destinations (Referring to Figure 1 , packet 
destined to be routed over different VLANs have different security associations, the security 
association authorizes routing or switching from specific sources to specific destinations via 
tunnels. See paragraphs 0035, 0039, and 0044;) and 

Applying a security group tag to the packet which identifies the security group 
designation, the security group tag being applied in a field not reserved for virtual local area 
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network information (Referring to Figure 1, during the preparation process authentication 
information is added to each payload packet, which is not in a designated VLAN field. See 
paragraph 0014.) 

Regarding claims 2 and 5, Walker discloses wherein the security group tag is applied in a 
field reserved for layer one (Referring to Figure 1, during the preparation process authentication 
information is added to each payload packet, at the physical layer since it is not included in the 
Layer-2 or Layer-3 header. See paragraph 0014.) 

Regarding claim 4, Walker discloses a method and apparatus for providing network 
security, which comprises: 

Receiving a packet (Referring to Figure 1 , packets for routing are received. See 
paragraph 0039;) 

Classifying the packet as having a security group designation selected from a plurality of 
security group designations, the security group designation associating a set of destinations and 
a set of sources authorized to access the set of destinations (Referring to Figure 1 , packet 
destined to be routed over different VLANs have different security associations, the security 
association authorizes routing or switching from specific sources to specific destinations via 
tunnels. See paragraphs 0035, 0039, and 0044;) and 

Applying a security group tag to the packet which identifies the security group 
designation, the security group tag being applied in a field reserved for security group 
information (Referring to Figure 1, during the preparation process authentication information is 
added to each payload packet, thereby considered reserved since the intended placement of the 
authentication information relates to the payload packet. See paragraph 0014.) 
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Claim Rejections - 35 USC§103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

4. Claims 3 and 6 are rejected under 35 U.S.C. 103(a) as being unpatentable over Walker 
(US 2002/0163920 Al) in view of Heggarty et al. (US 2003/0235191 Al), hereinafter referred to 
as Heggarty. 

Regarding claims 3 and 6 as explained in the rejection statement of claims 1 and 4, 
Walker discloses all of the claim limitations of claims 1 and 4 (parent claims). 

Walker does not disclose wherein the security group tag is applied in a field reserved for 
layer two. 

Heggarty teaches utilizing the VLAN ED from the Q-tag in the Ethernet frame header 
(layer-2) for packet forwarding in a switch (See paragraph 0048.) 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to implement the Layer-2 tagging of Heggarty in the system of Walker. One of ordinary skill in 
the art at the time of the invention would have been motivated to do so in order to improve 
system efficiency and reduce system processing by implementing the authentication information 
in the VLAN Ethernet header for Layer-2 networks as taught by Walker (See paragraphs 0009 
and 0014.) 
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5. Claims 7-42 are rejected under 35 U.S.C. 103(a) as being unpatentable over Walker (US 
2002/0163920 Al) in view of Van Seters et al. (US 5,978,378), hereinafter referred to as Van 
Seters. 

Regarding claims 7, 14, 18-21, 29-32, and 38, Walker discloses a method and apparatus 
for providing network security, which comprises: 

Receiving a packet (Referring to Figure 1, packets, comprising a first and subsequent 
packets, for routing are received. See paragraph 0039;) 

Classifying the packet as having a security group designation selected from a plurality of 
security group designations, wherein the first security group designation associating a first set of 
destinations and a first set of sources authorized to access the first set of destinations (Referring 
to Figure 1, packets, comprising a first and subsequent packets, destined to be routed over 
different VLANs have different security associations, the security association authorizes routing 
or switching from specific sources to specific destinations via tunnels. See paragraphs 0035, 
0039, and 0044;) and 

Applying a security group tag to the packet which identifies the first security group 
designation (Referring to Figure 1, during the preparation process authentication information is 
added to each payload packet, first and subsequent packet, which is not in a designated VLAN 
field and utilized to verify the authenticity of the packet. See paragraph 0014.) 

Walker does not disclose wherein the security group tag being applied in a field reserved 
for layer three or higher and wherein the information in the field is not used in forwarding 
decisions by inter switch links. 
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Walker teaches during the preparation process authentication information is added to 
each payload packet, at the physical layer since it is not included in the Layer-2 or Layer-3 
header (See paragraph 0014.) However, Van Seters teaches identifying VLAN members by a 
field located at the layer-3 header of each data unit (See column 1, lines 28-30 and 35-62.) 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to implement the authentication information of Walker in the Layer-3 header of Van Seters. One 
of ordinary skill in the art at the time of the invention would have been motivated to do so in 
order to improve system efficiency and reduce system processing by implementing the 
authentication information in the VLAN IP header for Layer-3 networks as taught by Walker 
(See paragraphs 0009 and 0014.) 

Regarding claims 8, 22, and 23, the primary reference further teaches providing 
authentication information in the first packet (Referring to Figure 1, during the preparation 
process authentication information is added to each payload packet, which is not in a designated 
VLAN field, for authentication purposes. See paragraph 0014.) 

Regarding claims 9 and 24, the primary reference further teaches encrypting/decrypting 
the first security group tag (Referring to Figure 1 , the packet is encrypted and decrypted. See 
paragraph 0036.) 

Regarding claims 10 and 27, the primary reference further teaches: 

Receiving a second packet (Referring to Figure 1, packets, comprising a first and second 
packet, for routing are received. See paragraph 0039;) 

Classifying the second packet as having a security group designation selected from a 
plurality of security group designations, wherein the second security group designation 
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associating a first set of destinations and a first set of sources authorized to access the first set of 
destinations (Referring to Figure 1, each first and subsequent packet destined to be routed over 
different VLANs have different security associations, the security association authorizes routing 
or switching from specific sources to specific destinations via tunnels. See paragraphs 0035, 
0039, and 0044;) and 

Applying a security group tag to the packet which identifies the second security group 
designation (Referring to Figure 1, during the preparation process authentication information is 
added to each first and subsequent payload packet, which is not in a designated VLAN field. See 
paragraph 0014.) 

Regarding claim 1 1 , the primary reference further teaches receiving the packet directly 
from a source node (Referring to Figure 1, the tunnel is established between a source and 
destination. See paragraph 0038.) 

Regarding claim 12, the primary reference fiirther teaches classifying the packet based on 
a source identity (Referring to Figure 1, the tunnel is established between a source and 
destination, in which the preparation process adds authentication information to the packet in 
accordance with the source creating the tunnel. See paragraph 0014 and 0038.) 

Regarding claim 13, the primary reference further teaches classifying the packet based on 
a payload content (Referring to Figure 1, the tunnel is established between a source and 
destination, in which the preparation process adds authentication information to the packet in 
accordance with the source creating the tunnel and packet payload. See paragraph 0014 and 
0038.) 
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Regarding claim 15, the primary reference further teaches wherein the second set of 
sources comprise a source that is included in the first set of sources (Referring to Figure 1, the 
tunnel is established between a source and destination, in which the preparation process adds 
authentication information to the packet in accordance with the source creating the tunnel and 
packet payload. See paragraph 0014 and 0038.) 

Regarding claim 16, the primary reference further teaches wherein the second set of 
destinations comprise a destination that is included in the first set of destinations (Referring to 
Figure 1, the tunnel is established between a source and destination, in which the preparation 
process adds authentication information to the packet in accordance with the source creating the 
tunnel and packet payload. See paragraph 0014 and 0038.) 

Regarding claim 25, the primary reference further teaches wherein the first security 
group is a closed group (Referring to Figure 1, the tunnel is established between a source and 
destination, in which the preparation process adds authentication information to the packet in 
accordance with the source creating the tunnel (closed group) and packet payload. See 
paragraph 0014 and 0038.) 

Regarding claim 26, the primary reference further teaches wherein the first security 
group is a partially overlapping group (Referring to Figure 1, the tunnel is established between a 
source and destination, in which the preparation process adds authentication information to the 
packet in accordance with the source creating the tunnel and packet payload which spans nodes 
(partially overlapping group). See paragraph 0014 and 0038.) 

Regarding claims 28, 34, 36, and 40, the primary reference further teaches applying a 
policy to the packet based upon the first security group and the destination address, wherein the 
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policy is selected from the group of actions consisting of : forwarding the packet; forwarding the 
packet and making a record of forwarding the packet; dropping the packet; dropping the packet 
and making a record of the dropping the packet; and inspecting other fields of the packet to 
determine how to dispose of the packet (Referring to Figure 1, the security association of the 
packet specifies the routing of the packet and whether the packet is forwarded or discarded. See 
paragraph 0039.) 

Regarding claims 33 and 39, the primary reference further teaches wherein the method is 
implemented on a router (Referring to Figure 1, the direct routing method is implemented on a 
layer 3 device. See paragraph 0037.) 

Regarding claims 35 and 41, the primary reference further teaches wherein the router 
resides in a local area network of a multi-LAN enterprise network and physically connects, 
directly, to a host (Referring to Figure 1, the layer 3 device resides in a LAN of multi LAN 
network and physically connects the source and destination.) 

Regarding claims 37 and 42, the primary reference further teaches wherein transmitting 
the packet or denying transmission or delaying transmission of the packet effects the level of 
\ service constraint, and wherein different security groups correspond to different levels of service 
(Referring to Figure 1, the system comprises authentication logic, decision logic and routing 
logic based on security associations. See paragraph 0028.) 



Conclusion 
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6. 



Any inquiry concerning this communication or earlier communications from the 



examiner should be directed to Donald L. Mills whose telephone number is 571-272-3094. The 
examiner can normally be reached on 8:00 AM to 4:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Chi Pham can be reached on 571-272-3179. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Donald L Mills/ 
August 31, 2007 




